SlideShare uma empresa Scribd logo

Hhs en05 system_identification

S
Shoaib Sheikh
Tecnologia
1 de 12
Baixar para ler offline
LESSON 5 SYSTEM IDENTIFICATION
LESSON 5 – SYSTEM IDENTIFICATION “License for Use” Information The following lessons and workbooks are open and publicly available under the following terms and conditions of ISECOM: All works in the Hacker Highschool project are provided for non-commercial use with elementary school students, junior high school students, and high school students whether in a public institution, private institution, or a part of home-schooling. These materials may not be reproduced for sale in any form. The provision of any class, course, training, or camp with these materials for which a fee is charged is expressly forbidden without a license including college classes, university classes, trade-school classes, summer or computer camps, and similar. To purchase a license, visit the LICENSE section of the Hacker Highschool web page at www.hackerhighschool.org/license. The HHS Project is a learning tool and as with any learning tool, the instruction is the influence of the instructor and not the tool. ISECOM cannot accept responsibility for how any information herein is applied or abused. The HHS Project is an open community effort and if you find value in this project, we do ask you support us through the purchase of a license, a donation, or sponsorship. All works copyright ISECOM, 2004. 2
LESSON 5 – SYSTEM IDENTIFICATION Table of Contents “License for Use” Information.................................................................................................................. 2 Contributors................................................................................................................................................ 4 5.0 Introduction..........................................................................................................................................5 5.1 Identifying a Server.............................................................................................................................. 6 5.1.1 Identifying the Owner of a Domain.......................................................................................... 6 5.1.2 Identifying the IP address of a Domain.................................................................................... 6 5.2 Identifying Services.............................................................................................................................. 6 5.2.1 Ping and TraceRoute................................................................................................................... 6 5.2.2 Banner Grabbing......................................................................................................................... 7 5.2.3 Identifying Services from Ports and Protocols.......................................................................... 7 5.3 System Fingerprinting.......................................................................................................................... 9 5.3.1 Scanning Remote Computers.................................................................................................... 9 Further Reading........................................................................................................................................ 12 3
LESSON 5 – SYSTEM IDENTIFICATION Contributors Chuck Truett, ISECOM Marta Barceló, ISECOM Kim Truett, ISECOM Pete Herzog, ISECOM 4
LESSON 5 – SYSTEM IDENTIFICATION 5.0 Introduction It is obvious that someone who sits down at the keyboard of your computer can gather information about it, including the operating system and the programs that are running, but it is also possible for someone to use a network connection to gather information about a remote computer. This lesson will describe some of the ways in which that information can be gathered. Knowing how this information is gathered will help you to ensure that your local computer is safe from these activities. 5
LESSON 5 – SYSTEM IDENTIFICATION 5.1 Identifying a Server There are a number of useful sources on the Web which will allow you to collect information about domain names and IP addresses. 5.1.1 Identifying the Owner of a Domain The first step in identifying a remote system is to look at the domain name or IP address. Using a Whois lookup, you can discover valuable information, including the identity of the owner of a domain and contact information, which may include addresses and phone numbers. Note that there are now a number of domain name registrars, and not all whois databases contain information for all domains. You may have to look at more that one whois database to find information on the domain that you are investigating. 5.1.2 Identifying the IP address of a Domain There are a number of ways to determine the IP address of a domain. The address may be contained in the whois information or you may have to use a DNS or Domain Name Service lookup. (A web search engine will provide a number of resources for discovering IP addresses from domain names.) Once you have the IP address, you can access the records of the various members of the Number Resource Organization (http://www.arin.net/ or http://www.ripe.net/), to gain information about how IP addresses are distributed. IP numbers are assigned to service providers and networks in large groups, and knowing which group an IP address is contained in, and who has the rights to that group, can be very useful. This can help you determine information about the server or service provider that a website uses. Exercises: Pick a valid domain name and use a Whois lookup to find out who owns that domain. dominio (http://www.whois.com -> “isecom.org”+Go -> Whois Lookup) What other information is available? When was the domain created? When will it expire? When was it last updated? Find the IP address for this domain name. Using the whois lookups for the various members of the Number Resource Organization determine who this IP address has been assigned to. (Start with the www.arin.net, page, which also links to the other members of the NRO.) What is the range of the other numbers that have also been registered to this entity? 5.2 Identifying Services Once you have established the owner and the IP address of a domain, then you can start to look for information about the server to which that domain refers. 5.2.1 Ping and TraceRoute Now that you know who owns the domain, and who the IP number has been assigned to, you can check to see if the server that the website is on is actually active. The ping command will tell you if there is actually a computer associated with that domain or IP. The command ping domain or ping ipaddress 6
LESSON 5 – SYSTEM IDENTIFICATION will tell you if there is an active computer at that address. If the output of the ping command indicates that the packets sent were received, then you can assume that the server is active. Another command, tracert (in Windows) or traceroute (in Linux) will show you the steps that information takes as it travels from your computer to the remote computer. Tracing the route that the packets take will sometimes give you additional information about the computers in the network with the computer that is the target of your trace. For example, computers will similar IP addresses will often be part of the same network. Exercises: Ping a valid website or IP address (ping www.isecom.org or ping 216.92.116.13). If you get a successful response, ping the next IP address. Did this produce a successful response? Use tracert or traceroute to trace the route from your local computer to the IP address that you used in the previous exercise. How many steps does it take? Do any of the listed computers have similar IP addresses? 5.2.2 Banner Grabbing The next step in identifying a remote system is to try to connect using telnet and FTP. The server programs for these services display text messages called banners. A banner may state clearly and precisely what server program is running. For example, when you connect to an anonymous FTP server, you might get the following message: Connected to anon.server. 220 ProFTPD Server (Welcome . . . ) User (anon.server:(none)): While the number 220 is an FTP code which indicates that the server is ready for a new user, the text message ProFTPD Server identifies the FTP server program that is running on the remote computer. Using a web search engine, you can learn what operating system the program runs on and other details about its requirements, capabilities, limitations, and flaws. The primary flaw in the use of banner grabbing to gather information about a system is that clever system administrators can spoof banners. A banner that reads NoneOfYourBusiness Server is obviously misleading, but a Unix system with a banner that reads WS_FTP Server (a Windows-based FTP server) is going to complicate any intelligence gathering that may be done. 5.2.3 Identifying Services from Ports and Protocols You can also determine what programs are running on a system by looking at what ports are open and what protocols are in use. Start by looking at your own local computer. Go to a command line or shell prompt and run the netstat program using the -a (or all) switch: netstat -a The computer will display a list of open ports and some of the services that are using those ports: Active Connections 7
LESSON 5 – SYSTEM IDENTIFICATION Proto Local Address Foreign Address State TCP YourComputer:microsoft-ds YourComputer:0 LISTENING TCP YourComputer:1025 YourComputer:0 LISTENING TCP YourComputer:1030 YourComputer:0 LISTENING TCP YourComputer:5000 YourComputer:0 LISTENING TCP YourComputer:netbios-ssn YourComputer:0 LISTENING TCP YourComputer:1110 216.239.57.147:http TIME_WAIT UDP YourComputer:microsoft-ds *:* UDP YourComputer:isakmp *:* UDP YourComputer:1027 *:* UDP YourComputer:1034 *:* UDP YourComputer:1036 *:* UDP YourComputer:ntp *:* UDP YourComputer:netbios-ns *:* UDP YourComputer:netbios-dgm *:* From this you can see many of the programs and services that are running on your local computer – many of which you don't even realize are running. Another program, called fport, provides information similar to that which netstat does, but it also details which programs are using the open ports and protocols. (Fport is available for free download from www.foundstone.com.) Another program, called nmap (for network mapper), will more thoroughly probe your computer for open ports. When nmap is run, it will display a list of open ports and the services or protocols that use those ports. It may also be able to determine what operating system your computer is using. For example, if you run nmap on your local computer, you might see the following output: Port State Service 22/tcp open ssh 68/tcp open dhcpclient 139/tcp open netbios-ssn 445/tcp open microsoft-ds Device type: general purpose Running: Linux 2.4X|2.5.X OS details: Linux Kernel 2.4.0 – 2.5.20 Uptime 1.024 days (since Sat Jul 4 12:15:48 2004) Nmap is available on your Hacker Highschool or L. A. S. cd. It is also available for download from www.insecure.org. Exercises: Run netstat on your local computer, using the -a switch. netstat -a 8
LESSON 5 – SYSTEM IDENTIFICATION What ports are open? Using a web search engine, can you match these ports with the services that run on them? (This would be a good exercise to try at home, also, to see if your computer is running unnecessary – and potentially dangerous – services, such as FTP and telnet.) Run nmap, using the -sS (for SYN Stealth scan), and -O (for guess operating system) switches and the IP address 127.0.0.1 as the target. nmap -sS -O 127.0.0.1 The IP address 127.0.0.1 specifies the local host, or your local computer. (Note: this is different from the IP address that other computers on the internet use to communicate with yours; on any machine, the IP address 127.0.0.1 refers to the local computer) What open ports does nmap find? What services and programs are using these ports? Try running nmap while you have a web browser or telnet client open. Does this change the results? 5.3 System Fingerprinting Now that you know how to identify a server and how to scan for open ports and use this information to determine what services are running, you can put this information together to fingerprint a remote system, establishing the most likely operating system and services that the remote computer is running. 5.3.1 Scanning Remote Computers Using an IP address or a domain name other than 127.0.0.1 as an argument for nmap allows you to scan for open ports on remote computers. It doesn't mean that there will be open ports, or that you will find them, but it does allow you to try. For example, imagine that you have been receiving a large amount of spam e-mails, and you want to discover information about the person who is sending you these e-mails. Looking at the headers of one of the e-mails, you see that many of the e-mails have originated from the same IP address: 256.92.116.13 (see Lesson 9: E-mail Security for more details on reading e- mail headers). A whois lookup shows you that the address is part of a block assigned to a large ISP, but gives you no information regarding this particular IP address. If you then use nmap to scan the computer at that address, you get the following results: nmap -sS -O 256.92.116.13 Starting nmap 3.50 ( http://www.insecure.org/nmap ) at 2004-07-03 20:13 Eastern Daylight Time Interesting ports on 256.92.116.13: (The 1632 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 80/tcp open http 9
LESSON 5 – SYSTEM IDENTIFICATION 110/tcp open pop3 113/tcp open auth 135/tcp filtered msrpc 136/tcp filtered profile 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 143/tcp open imap 144/tcp open news 161/tcp filtered snmp 306/tcp open unknown 443/tcp open https 445/tcp filtered microsoft-ds 513/tcp open login 514/tcp open shell No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi). TCP/IP fingerprint: SInfo(V=3.50%P=i686-pc-windows-windows%D=7/3%Time=40E74EC0%O=21%C=1) TSeq(Class=TR%IPID=RD%TS=1000HZ) T1(Resp=Y%DF=Y%W=FFFF%ACK=S++%Flags=AS%Ops=MNWNNT) T2(Resp=N) T3(Resp=N) T4(Resp=N) T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=N) T7(Resp=N) Uptime 1.877 days (since Thu Jul 01 23:23:56 2004) Nmap run completed -- 1 IP address (1 host up) scanned in 775.578 seconds The ports marked as filtered are well-known as potentially vulnerable to attack, so it is not a surprise to find them listed as filtered. What is most interesting is that ports 21, 22 and 23 – for ftp, ssh and telnet – are all listed as open. The last thing that nmap does is to try to identify the operating system that is running on the scanned computer. In this instance, the tests that nmap runs are inconclusive, however, since nmap does show that ftp and telnet services are both running, you can attempt to connect through each of those to see if there is a banner that will be broadcast. When you connect through FTP you see a banner that says: 10
LESSON 5 – SYSTEM IDENTIFICATION 220 ftp316.pair.com NcFTPd Server (licensed copy) ready. When you then connect through telnet, the computer displays a banner which says FreeBSD/i386 (ttyp7) A quick web search tells you that NcFTPd is a Unix program and that FreeBSD is a Unix-type operating system, so it is likely that the server is running a version of FreeBSD as its operating system. You can't be certain that this is accurate (banners can be spoofed), but you can accept this as a reasonable guess. So, by using nmap, along with FTP and telnet, you have determined that the server which has been sending you spam runs a Unix-type operating system – probably FreeBSD – and is set up to send and receive a large variety of information, through a number of services including FTP, telnet, http, smtp and pop3. 11
LESSON 5 – SYSTEM IDENTIFICATION Further Reading Nmap: http://www.insecure.org/nmap/ More on Nmap: http://www.networkmagazine.com/shared/article/showArticle.jhtml?articleId=8702942&classr oom= Fport:http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent =/resources/proddesc/fport.htm A number of site detailing ports and the services that use them: http://www.chebucto.ns.ca/~rakerman/port-table.html http://www.chebucto.ns.ca/~rakerman/port-table.html#IANA http://www.iana.org/assignments/port-numbers http://www.networksorcery.com/enp/protocol/ip/ports00000.htm Various DNS lookups: http://www.dnsstuff.com/ Ping:http://www.freesoft.org/CIE/Topics/53.htm 12

Recomendados

Hhs en10 web_security_and_privacy
Hhs en10 web_security_and_privacyHhs en10 web_security_and_privacy
Hhs en10 web_security_and_privacyShoaib Sheikh
 
Hhs toc glossary
Hhs toc glossaryHhs toc glossary
Hhs toc glossaryShoaib Sheikh
 
Hackers tools (816 4816-10)
Hackers tools (816 4816-10)Hackers tools (816 4816-10)
Hackers tools (816 4816-10)Shoaib Sheikh
 
Hhs en09 email_security
Hhs en09 email_securityHhs en09 email_security
Hhs en09 email_securityShoaib Sheikh
 
Hhs en02 windows_and_linux
Hhs en02 windows_and_linuxHhs en02 windows_and_linux
Hhs en02 windows_and_linuxShoaib Sheikh
 
Hhs en08 forensics
Hhs en08 forensicsHhs en08 forensics
Hhs en08 forensicsShoaib Sheikh
 
Iu report
Iu reportIu report
Iu reportLiên Hán
 
Firewalls (Distributed computing)
Firewalls (Distributed computing)Firewalls (Distributed computing)
Firewalls (Distributed computing)Sri Prasanna
 

Recomendados

Hhs en10 web_security_and_privacy
Hhs en10 web_security_and_privacyHhs en10 web_security_and_privacy
Hhs en10 web_security_and_privacyShoaib Sheikh
 
Hhs toc glossary
Hhs toc glossaryHhs toc glossary
Hhs toc glossaryShoaib Sheikh
 
Hackers tools (816 4816-10)
Hackers tools (816 4816-10)Hackers tools (816 4816-10)
Hackers tools (816 4816-10)Shoaib Sheikh
 
Hhs en09 email_security
Hhs en09 email_securityHhs en09 email_security
Hhs en09 email_securityShoaib Sheikh
 
Hhs en02 windows_and_linux
Hhs en02 windows_and_linuxHhs en02 windows_and_linux
Hhs en02 windows_and_linuxShoaib Sheikh
 
Hhs en08 forensics
Hhs en08 forensicsHhs en08 forensics
Hhs en08 forensicsShoaib Sheikh
 
Iu report
Iu reportIu report
Iu reportLiên Hán
 
Firewalls (Distributed computing)
Firewalls (Distributed computing)Firewalls (Distributed computing)
Firewalls (Distributed computing)Sri Prasanna
 
Security Theatre - Benelux
Security Theatre - BeneluxSecurity Theatre - Benelux
Security Theatre - Beneluxxsist10
 
Security Theatre - PHP UK Conference
Security Theatre - PHP UK ConferenceSecurity Theatre - PHP UK Conference
Security Theatre - PHP UK Conferencexsist10
 
Iu report
Iu reportIu report
Iu reportLiên Hán
 
IBPS SO
IBPS SOIBPS SO
IBPS SOJitendra kadu
 
2 secure systems design
2 secure systems design2 secure systems design
2 secure systems designdrewz lin
 
finalreport1182014
finalreport1182014finalreport1182014
finalreport1182014chanhduy
 
Spiffy Spyware Stuff
Spiffy Spyware StuffSpiffy Spyware Stuff
Spiffy Spyware Stuffn|u - The Open Security Community
 
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)Avansa Mid- en Zuidwest
 
Eseminar1
Eseminar1Eseminar1
Eseminar1Shiva Krishna Chandra Shekar
 
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)xsist10
 
Mobile Security - Hakin9 Magazine
Mobile Security - Hakin9 MagazineMobile Security - Hakin9 Magazine
Mobile Security - Hakin9 Magazinelogfusion
 
Network and security concepts
Network and security conceptsNetwork and security concepts
Network and security conceptssonuagain
 
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
eForensics_17_2013_KMOKER
eForensics_17_2013_KMOKEReForensics_17_2013_KMOKER
eForensics_17_2013_KMOKERKevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Security Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHPSecurity Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHPxsist10
 
Meterpreter awareness
Meterpreter awarenessMeterpreter awareness
Meterpreter awarenessHaydn Johnson
 
Hacking and its Defence
Hacking and its DefenceHacking and its Defence
Hacking and its DefenceGreater Noida Institute Of Technology
 
fireeye-hot-knives-through-butter(1)
fireeye-hot-knives-through-butter(1)fireeye-hot-knives-through-butter(1)
fireeye-hot-knives-through-butter(1)Abhishek Singh
 
Securing Your WordPress Website - WordCamp Sydney 2012
Securing Your WordPress Website - WordCamp Sydney 2012Securing Your WordPress Website - WordCamp Sydney 2012
Securing Your WordPress Website - WordCamp Sydney 2012Vlad Lasky
 
After The Crash Minimize Your Downtime
After The Crash Minimize Your DowntimeAfter The Crash Minimize Your Downtime
After The Crash Minimize Your DowntimeTechSoup
 
Footprinting LAB SETUP GUIDE.pdf
Footprinting LAB SETUP GUIDE.pdfFootprinting LAB SETUP GUIDE.pdf
Footprinting LAB SETUP GUIDE.pdfsdfghj21
 
Footprinting-and-the-basics-of-hacking
Footprinting-and-the-basics-of-hackingFootprinting-and-the-basics-of-hacking
Footprinting-and-the-basics-of-hackingSathishkumar A
 

Mais conteúdo relacionado

Mais procurados

Security Theatre - Benelux
Security Theatre - BeneluxSecurity Theatre - Benelux
Security Theatre - Beneluxxsist10
 
Security Theatre - PHP UK Conference
Security Theatre - PHP UK ConferenceSecurity Theatre - PHP UK Conference
Security Theatre - PHP UK Conferencexsist10
 
2 secure systems design
2 secure systems design2 secure systems design
2 secure systems designdrewz lin
 
finalreport1182014
finalreport1182014finalreport1182014
finalreport1182014chanhduy
 
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)Avansa Mid- en Zuidwest
 
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)xsist10
 
Mobile Security - Hakin9 Magazine
Mobile Security - Hakin9 MagazineMobile Security - Hakin9 Magazine
Mobile Security - Hakin9 Magazinelogfusion
 
Network and security concepts
Network and security conceptsNetwork and security concepts
Network and security conceptssonuagain
 
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...Kevin M. Moker, CFE, CISSP, ISSMP, CISM
 
Security Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHPSecurity Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHPxsist10
 
Meterpreter awareness
Meterpreter awarenessMeterpreter awareness
Meterpreter awarenessHaydn Johnson
 
fireeye-hot-knives-through-butter(1)
fireeye-hot-knives-through-butter(1)fireeye-hot-knives-through-butter(1)
fireeye-hot-knives-through-butter(1)Abhishek Singh
 
Securing Your WordPress Website - WordCamp Sydney 2012
Securing Your WordPress Website - WordCamp Sydney 2012Securing Your WordPress Website - WordCamp Sydney 2012
Securing Your WordPress Website - WordCamp Sydney 2012Vlad Lasky
 
After The Crash Minimize Your Downtime
After The Crash Minimize Your DowntimeAfter The Crash Minimize Your Downtime
After The Crash Minimize Your DowntimeTechSoup
 

Mais procurados (20)

Security Theatre - Benelux
Security Theatre - BeneluxSecurity Theatre - Benelux
Security Theatre - Benelux
 
Security Theatre - PHP UK Conference
Security Theatre - PHP UK ConferenceSecurity Theatre - PHP UK Conference
Security Theatre - PHP UK Conference
 
Iu report
Iu reportIu report
Iu report
 
IBPS SO
IBPS SOIBPS SO
IBPS SO
 
2 secure systems design
2 secure systems design2 secure systems design
2 secure systems design
 
finalreport1182014
finalreport1182014finalreport1182014
finalreport1182014
 
Spiffy Spyware Stuff
Spiffy Spyware StuffSpiffy Spyware Stuff
Spiffy Spyware Stuff
 
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
OpenTechTalks: Ethical hacking with Kali Linux (Tijl Deneut, UGent)
 
Eseminar1
Eseminar1Eseminar1
Eseminar1
 
Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)Security Theatre (PHP Leuven)
Security Theatre (PHP Leuven)
 
Mobile Security - Hakin9 Magazine
Mobile Security - Hakin9 MagazineMobile Security - Hakin9 Magazine
Mobile Security - Hakin9 Magazine
 
Network and security concepts
Network and security conceptsNetwork and security concepts
Network and security concepts
 
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
eForensics Magazine - HOW TO STEAL GMAIL CREDENTIALS USING SE-TOOLKIT – A CA...
 
eForensics_17_2013_KMOKER
eForensics_17_2013_KMOKEReForensics_17_2013_KMOKER
eForensics_17_2013_KMOKER
 
Security Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHPSecurity Theatre - AmsterdamPHP
Security Theatre - AmsterdamPHP
 
Meterpreter awareness
Meterpreter awarenessMeterpreter awareness
Meterpreter awareness
 
Hacking and its Defence
Hacking and its DefenceHacking and its Defence
Hacking and its Defence
 
fireeye-hot-knives-through-butter(1)
fireeye-hot-knives-through-butter(1)fireeye-hot-knives-through-butter(1)
fireeye-hot-knives-through-butter(1)
 
Securing Your WordPress Website - WordCamp Sydney 2012
Securing Your WordPress Website - WordCamp Sydney 2012Securing Your WordPress Website - WordCamp Sydney 2012
Securing Your WordPress Website - WordCamp Sydney 2012
 
After The Crash Minimize Your Downtime
After The Crash Minimize Your DowntimeAfter The Crash Minimize Your Downtime
After The Crash Minimize Your Downtime
 

Semelhante a Hhs en05 system_identification

Footprinting LAB SETUP GUIDE.pdf
Footprinting LAB SETUP GUIDE.pdfFootprinting LAB SETUP GUIDE.pdf
Footprinting LAB SETUP GUIDE.pdfsdfghj21
 
Footprinting-and-the-basics-of-hacking
Footprinting-and-the-basics-of-hackingFootprinting-and-the-basics-of-hacking
Footprinting-and-the-basics-of-hackingSathishkumar A
 
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessLeon Teale
 
( Ethical hacking tools ) Information grathring
( Ethical hacking tools ) Information grathring( Ethical hacking tools ) Information grathring
( Ethical hacking tools ) Information grathringGouasmia Zakaria
 
It04 roshan basnet
It04 roshan basnetIt04 roshan basnet
It04 roshan basnetrosu555
 
CSEC 610 Individual Assignment Essay
CSEC 610 Individual Assignment EssayCSEC 610 Individual Assignment Essay
CSEC 610 Individual Assignment EssayRochelle Schear
 
Desktop interview qestions & answer
Desktop interview qestions & answerDesktop interview qestions & answer
Desktop interview qestions & answermandarshetye45
 
Short Term Effects Of Cocaine Essay
Short Term Effects Of Cocaine EssayShort Term Effects Of Cocaine Essay
Short Term Effects Of Cocaine EssayMelissa Luster
 
Hacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria GrunickHacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria Grunickamiable_indian
 
Introduction to Network and System Administration
Introduction to Network and System AdministrationIntroduction to Network and System Administration
Introduction to Network and System AdministrationDuressa Teshome
 

Semelhante a Hhs en05 system_identification (20)

Footprinting LAB SETUP GUIDE.pdf
Footprinting LAB SETUP GUIDE.pdfFootprinting LAB SETUP GUIDE.pdf
Footprinting LAB SETUP GUIDE.pdf
 
Footprinting-and-the-basics-of-hacking
Footprinting-and-the-basics-of-hackingFootprinting-and-the-basics-of-hacking
Footprinting-and-the-basics-of-hacking
 
Systems Administration
Systems AdministrationSystems Administration
Systems Administration
 
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awareness
 
business
businessbusiness
business
 
( Ethical hacking tools ) Information grathring
( Ethical hacking tools ) Information grathring( Ethical hacking tools ) Information grathring
( Ethical hacking tools ) Information grathring
 
ch01.ppt
ch01.pptch01.ppt
ch01.ppt
 
It04 roshan basnet
It04 roshan basnetIt04 roshan basnet
It04 roshan basnet
 
HHS_TOC_Glossary EMERSON EDUARDO RODRIGUES
HHS_TOC_Glossary EMERSON EDUARDO RODRIGUESHHS_TOC_Glossary EMERSON EDUARDO RODRIGUES
HHS_TOC_Glossary EMERSON EDUARDO RODRIGUES
 
CSEC 610 Individual Assignment Essay
CSEC 610 Individual Assignment EssayCSEC 610 Individual Assignment Essay
CSEC 610 Individual Assignment Essay
 
Osquery
OsqueryOsquery
Osquery
 
Desktop interview qestions & answer
Desktop interview qestions & answerDesktop interview qestions & answer
Desktop interview qestions & answer
 
Lesson 2
Lesson 2Lesson 2
Lesson 2
 
Vulnerability Assessment Report
Vulnerability Assessment ReportVulnerability Assessment Report
Vulnerability Assessment Report
 
Short Term Effects Of Cocaine Essay
Short Term Effects Of Cocaine EssayShort Term Effects Of Cocaine Essay
Short Term Effects Of Cocaine Essay
 
Wp fqdn deprecation
Wp fqdn deprecationWp fqdn deprecation
Wp fqdn deprecation
 
Hacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria GrunickHacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria Grunick
 
Introduction to Network and System Administration
Introduction to Network and System AdministrationIntroduction to Network and System Administration
Introduction to Network and System Administration
 
Let's Encrypt + DANE
Let's Encrypt + DANELet's Encrypt + DANE
Let's Encrypt + DANE
 
Protect your website
Protect your websiteProtect your website
Protect your website
 

Último

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 

Último (20)

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 

Hhs en05 system_identification

  • 2. LESSON 5 – SYSTEM IDENTIFICATION “License for Use” Information The following lessons and workbooks are open and publicly available under the following terms and conditions of ISECOM: All works in the Hacker Highschool project are provided for non-commercial use with elementary school students, junior high school students, and high school students whether in a public institution, private institution, or a part of home-schooling. These materials may not be reproduced for sale in any form. The provision of any class, course, training, or camp with these materials for which a fee is charged is expressly forbidden without a license including college classes, university classes, trade-school classes, summer or computer camps, and similar. To purchase a license, visit the LICENSE section of the Hacker Highschool web page at www.hackerhighschool.org/license. The HHS Project is a learning tool and as with any learning tool, the instruction is the influence of the instructor and not the tool. ISECOM cannot accept responsibility for how any information herein is applied or abused. The HHS Project is an open community effort and if you find value in this project, we do ask you support us through the purchase of a license, a donation, or sponsorship. All works copyright ISECOM, 2004. 2
  • 3. LESSON 5 – SYSTEM IDENTIFICATION Table of Contents “License for Use” Information.................................................................................................................. 2 Contributors................................................................................................................................................ 4 5.0 Introduction..........................................................................................................................................5 5.1 Identifying a Server.............................................................................................................................. 6 5.1.1 Identifying the Owner of a Domain.......................................................................................... 6 5.1.2 Identifying the IP address of a Domain.................................................................................... 6 5.2 Identifying Services.............................................................................................................................. 6 5.2.1 Ping and TraceRoute................................................................................................................... 6 5.2.2 Banner Grabbing......................................................................................................................... 7 5.2.3 Identifying Services from Ports and Protocols.......................................................................... 7 5.3 System Fingerprinting.......................................................................................................................... 9 5.3.1 Scanning Remote Computers.................................................................................................... 9 Further Reading........................................................................................................................................ 12 3
  • 4. LESSON 5 – SYSTEM IDENTIFICATION Contributors Chuck Truett, ISECOM Marta Barceló, ISECOM Kim Truett, ISECOM Pete Herzog, ISECOM 4
  • 5. LESSON 5 – SYSTEM IDENTIFICATION 5.0 Introduction It is obvious that someone who sits down at the keyboard of your computer can gather information about it, including the operating system and the programs that are running, but it is also possible for someone to use a network connection to gather information about a remote computer. This lesson will describe some of the ways in which that information can be gathered. Knowing how this information is gathered will help you to ensure that your local computer is safe from these activities. 5
  • 6. LESSON 5 – SYSTEM IDENTIFICATION 5.1 Identifying a Server There are a number of useful sources on the Web which will allow you to collect information about domain names and IP addresses. 5.1.1 Identifying the Owner of a Domain The first step in identifying a remote system is to look at the domain name or IP address. Using a Whois lookup, you can discover valuable information, including the identity of the owner of a domain and contact information, which may include addresses and phone numbers. Note that there are now a number of domain name registrars, and not all whois databases contain information for all domains. You may have to look at more that one whois database to find information on the domain that you are investigating. 5.1.2 Identifying the IP address of a Domain There are a number of ways to determine the IP address of a domain. The address may be contained in the whois information or you may have to use a DNS or Domain Name Service lookup. (A web search engine will provide a number of resources for discovering IP addresses from domain names.) Once you have the IP address, you can access the records of the various members of the Number Resource Organization (http://www.arin.net/ or http://www.ripe.net/), to gain information about how IP addresses are distributed. IP numbers are assigned to service providers and networks in large groups, and knowing which group an IP address is contained in, and who has the rights to that group, can be very useful. This can help you determine information about the server or service provider that a website uses. Exercises: Pick a valid domain name and use a Whois lookup to find out who owns that domain. dominio (http://www.whois.com -> “isecom.org”+Go -> Whois Lookup) What other information is available? When was the domain created? When will it expire? When was it last updated? Find the IP address for this domain name. Using the whois lookups for the various members of the Number Resource Organization determine who this IP address has been assigned to. (Start with the www.arin.net, page, which also links to the other members of the NRO.) What is the range of the other numbers that have also been registered to this entity? 5.2 Identifying Services Once you have established the owner and the IP address of a domain, then you can start to look for information about the server to which that domain refers. 5.2.1 Ping and TraceRoute Now that you know who owns the domain, and who the IP number has been assigned to, you can check to see if the server that the website is on is actually active. The ping command will tell you if there is actually a computer associated with that domain or IP. The command ping domain or ping ipaddress 6
  • 7. LESSON 5 – SYSTEM IDENTIFICATION will tell you if there is an active computer at that address. If the output of the ping command indicates that the packets sent were received, then you can assume that the server is active. Another command, tracert (in Windows) or traceroute (in Linux) will show you the steps that information takes as it travels from your computer to the remote computer. Tracing the route that the packets take will sometimes give you additional information about the computers in the network with the computer that is the target of your trace. For example, computers will similar IP addresses will often be part of the same network. Exercises: Ping a valid website or IP address (ping www.isecom.org or ping 216.92.116.13). If you get a successful response, ping the next IP address. Did this produce a successful response? Use tracert or traceroute to trace the route from your local computer to the IP address that you used in the previous exercise. How many steps does it take? Do any of the listed computers have similar IP addresses? 5.2.2 Banner Grabbing The next step in identifying a remote system is to try to connect using telnet and FTP. The server programs for these services display text messages called banners. A banner may state clearly and precisely what server program is running. For example, when you connect to an anonymous FTP server, you might get the following message: Connected to anon.server. 220 ProFTPD Server (Welcome . . . ) User (anon.server:(none)): While the number 220 is an FTP code which indicates that the server is ready for a new user, the text message ProFTPD Server identifies the FTP server program that is running on the remote computer. Using a web search engine, you can learn what operating system the program runs on and other details about its requirements, capabilities, limitations, and flaws. The primary flaw in the use of banner grabbing to gather information about a system is that clever system administrators can spoof banners. A banner that reads NoneOfYourBusiness Server is obviously misleading, but a Unix system with a banner that reads WS_FTP Server (a Windows-based FTP server) is going to complicate any intelligence gathering that may be done. 5.2.3 Identifying Services from Ports and Protocols You can also determine what programs are running on a system by looking at what ports are open and what protocols are in use. Start by looking at your own local computer. Go to a command line or shell prompt and run the netstat program using the -a (or all) switch: netstat -a The computer will display a list of open ports and some of the services that are using those ports: Active Connections 7
  • 8. LESSON 5 – SYSTEM IDENTIFICATION Proto Local Address Foreign Address State TCP YourComputer:microsoft-ds YourComputer:0 LISTENING TCP YourComputer:1025 YourComputer:0 LISTENING TCP YourComputer:1030 YourComputer:0 LISTENING TCP YourComputer:5000 YourComputer:0 LISTENING TCP YourComputer:netbios-ssn YourComputer:0 LISTENING TCP YourComputer:1110 216.239.57.147:http TIME_WAIT UDP YourComputer:microsoft-ds *:* UDP YourComputer:isakmp *:* UDP YourComputer:1027 *:* UDP YourComputer:1034 *:* UDP YourComputer:1036 *:* UDP YourComputer:ntp *:* UDP YourComputer:netbios-ns *:* UDP YourComputer:netbios-dgm *:* From this you can see many of the programs and services that are running on your local computer – many of which you don't even realize are running. Another program, called fport, provides information similar to that which netstat does, but it also details which programs are using the open ports and protocols. (Fport is available for free download from www.foundstone.com.) Another program, called nmap (for network mapper), will more thoroughly probe your computer for open ports. When nmap is run, it will display a list of open ports and the services or protocols that use those ports. It may also be able to determine what operating system your computer is using. For example, if you run nmap on your local computer, you might see the following output: Port State Service 22/tcp open ssh 68/tcp open dhcpclient 139/tcp open netbios-ssn 445/tcp open microsoft-ds Device type: general purpose Running: Linux 2.4X|2.5.X OS details: Linux Kernel 2.4.0 – 2.5.20 Uptime 1.024 days (since Sat Jul 4 12:15:48 2004) Nmap is available on your Hacker Highschool or L. A. S. cd. It is also available for download from www.insecure.org. Exercises: Run netstat on your local computer, using the -a switch. netstat -a 8
  • 9. LESSON 5 – SYSTEM IDENTIFICATION What ports are open? Using a web search engine, can you match these ports with the services that run on them? (This would be a good exercise to try at home, also, to see if your computer is running unnecessary – and potentially dangerous – services, such as FTP and telnet.) Run nmap, using the -sS (for SYN Stealth scan), and -O (for guess operating system) switches and the IP address 127.0.0.1 as the target. nmap -sS -O 127.0.0.1 The IP address 127.0.0.1 specifies the local host, or your local computer. (Note: this is different from the IP address that other computers on the internet use to communicate with yours; on any machine, the IP address 127.0.0.1 refers to the local computer) What open ports does nmap find? What services and programs are using these ports? Try running nmap while you have a web browser or telnet client open. Does this change the results? 5.3 System Fingerprinting Now that you know how to identify a server and how to scan for open ports and use this information to determine what services are running, you can put this information together to fingerprint a remote system, establishing the most likely operating system and services that the remote computer is running. 5.3.1 Scanning Remote Computers Using an IP address or a domain name other than 127.0.0.1 as an argument for nmap allows you to scan for open ports on remote computers. It doesn't mean that there will be open ports, or that you will find them, but it does allow you to try. For example, imagine that you have been receiving a large amount of spam e-mails, and you want to discover information about the person who is sending you these e-mails. Looking at the headers of one of the e-mails, you see that many of the e-mails have originated from the same IP address: 256.92.116.13 (see Lesson 9: E-mail Security for more details on reading e- mail headers). A whois lookup shows you that the address is part of a block assigned to a large ISP, but gives you no information regarding this particular IP address. If you then use nmap to scan the computer at that address, you get the following results: nmap -sS -O 256.92.116.13 Starting nmap 3.50 ( http://www.insecure.org/nmap ) at 2004-07-03 20:13 Eastern Daylight Time Interesting ports on 256.92.116.13: (The 1632 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 25/tcp open smtp 80/tcp open http 9
  • 10. LESSON 5 – SYSTEM IDENTIFICATION 110/tcp open pop3 113/tcp open auth 135/tcp filtered msrpc 136/tcp filtered profile 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 143/tcp open imap 144/tcp open news 161/tcp filtered snmp 306/tcp open unknown 443/tcp open https 445/tcp filtered microsoft-ds 513/tcp open login 514/tcp open shell No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi). TCP/IP fingerprint: SInfo(V=3.50%P=i686-pc-windows-windows%D=7/3%Time=40E74EC0%O=21%C=1) TSeq(Class=TR%IPID=RD%TS=1000HZ) T1(Resp=Y%DF=Y%W=FFFF%ACK=S++%Flags=AS%Ops=MNWNNT) T2(Resp=N) T3(Resp=N) T4(Resp=N) T5(Resp=Y%DF=N%W=0%ACK=S++%Flags=AR%Ops=) T6(Resp=N) T7(Resp=N) Uptime 1.877 days (since Thu Jul 01 23:23:56 2004) Nmap run completed -- 1 IP address (1 host up) scanned in 775.578 seconds The ports marked as filtered are well-known as potentially vulnerable to attack, so it is not a surprise to find them listed as filtered. What is most interesting is that ports 21, 22 and 23 – for ftp, ssh and telnet – are all listed as open. The last thing that nmap does is to try to identify the operating system that is running on the scanned computer. In this instance, the tests that nmap runs are inconclusive, however, since nmap does show that ftp and telnet services are both running, you can attempt to connect through each of those to see if there is a banner that will be broadcast. When you connect through FTP you see a banner that says: 10
  • 11. LESSON 5 – SYSTEM IDENTIFICATION 220 ftp316.pair.com NcFTPd Server (licensed copy) ready. When you then connect through telnet, the computer displays a banner which says FreeBSD/i386 (ttyp7) A quick web search tells you that NcFTPd is a Unix program and that FreeBSD is a Unix-type operating system, so it is likely that the server is running a version of FreeBSD as its operating system. You can't be certain that this is accurate (banners can be spoofed), but you can accept this as a reasonable guess. So, by using nmap, along with FTP and telnet, you have determined that the server which has been sending you spam runs a Unix-type operating system – probably FreeBSD – and is set up to send and receive a large variety of information, through a number of services including FTP, telnet, http, smtp and pop3. 11
  • 12. LESSON 5 – SYSTEM IDENTIFICATION Further Reading Nmap: http://www.insecure.org/nmap/ More on Nmap: http://www.networkmagazine.com/shared/article/showArticle.jhtml?articleId=8702942&classr oom= Fport:http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent =/resources/proddesc/fport.htm A number of site detailing ports and the services that use them: http://www.chebucto.ns.ca/~rakerman/port-table.html http://www.chebucto.ns.ca/~rakerman/port-table.html#IANA http://www.iana.org/assignments/port-numbers http://www.networksorcery.com/enp/protocol/ip/ports00000.htm Various DNS lookups: http://www.dnsstuff.com/ Ping:http://www.freesoft.org/CIE/Topics/53.htm 12